Slashdot Log In
New Approach To Malware Modifies Linux Kernel
Posted by
timothy
on Sun Sep 28, 2008 01:05 PM
Hugh Pickens writes "Professor Avishai Wool has unveiled a program to watch for malware on servers with a modification to the Linux kernel. 'We modified the kernel in the system's operating system so that it monitors and tracks the behavior of the programs installed on it,' says Wool. Essentially, Wool says, his software team has built a model that predicts how software running on a server should work (pdf). If the kernel senses abnormal activity, it stops the program from working before malicious actions occur. 'When we see a deviation, we know for sure there's something bad going on,' Wool explains. Wool cites problems with costly anti-virus protection. 'Our methods are much more efficient and don't chew up the computer's resources.'"
Related Stories
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Help! (Score:5, Funny)
Re:Help! (Score:4, Funny)
How is this off-topic? The mods must have been infected!
Parent
Re:Help! (Score:5, Funny)
Parent
premise to shutdown (Score:5, Interesting)
Is this not the very premise that caused the Amazon cloud shutdown? A failure to communicate back proper activity illogically deduced that there was an improper activity?
Re:premise to shutdown (Score:5, Funny)
This has greatly increased the online sales of weight-loss products although mostly from browsers identifying themselves as Internet Explorer
Linux users were terminated by their modified kernel after it detected that they were exercising ;)
Parent
selinux (Score:5, Interesting)
Great, sounds exactly like what people have been doing with selinux and capabilities. But selinux acknowledges we don't always do the same things with our computers as the next guy... Will this approach be as flexible?
I don't want to boohoo his research, it's probably fine, but the article summary just gets my goat. Malware is a lot more complicated than most anti-malware software authors make them sound, and false positives are the biggest/most complicated problem they have to deal with, especially in automated systems that block like this...
Re:selinux (Score:5, Interesting)
These malware programs today try to hide themselves into deep that you just couldnt find them if you dont know what you are looking for. This system here as i understand it tries to identify what are the normal parameters for a certain program to work. If the program doesnt do or behave like a normal software, then there must be something wrong with it and alarms go off, lights are blinking and all hell brokes lose.
Oh crap, red lights and i hear noises. Oh it's only the cops.
Parent
Re:selinux (Score:5, Informative)
Well, from my basic reading of the paper it sounds like it won't have false positives but it also will miss many negatives. Essentially when you build it it'll make a map of what system calls can be made and in what sequence. If an application makes a system call it never calls or never can call in that order because it's been hijacked then this thing will stop it. If you manage to do your nasty business using the system calls it normally uses, it won't. Think of it as a auto-hardening system turning off any syscalls or combinations that the application doesn't use anyway. One of the downsides is that if you know this system is in place, you can probably add dummy syscall patterns to your exploit to match the application's behavior unless it's a syscall it never does. Still, there's little reason assuming an attacker is perfect and this is a worthwhile protection for the cases where it does work.
Parent
Re: (Score:3, Insightful)
If an application makes a system call it never calls or never can call in that order because it's been hijacked then this thing will stop it.
The problem is that, for any non-trivial program, it is impossible for a static analyser to decide whether the software will call or not and in what order a specific trap. For instance, that static analyser is not able to tell you in advance at what time the exit syscall will be called.
Re: (Score:3, Insightful)
It can't catch every case, but it can rule out a lot of system calls. If setuid never appears in a program or library's source, it can't be called. If a program calls a bunch of things in an initializer function and then enters a more restricted main loop, the static analyzer should be able to catch that too.
I can't see how this approach could hurt, though of course it won't catch everything.
What about plug-in based systems? (Score:3, Insightful)
How does this thing deal with plug-in/add-on based systems like Firefox or Eclipse, where new capabilities get added to the executable through dlls (or java classes, I guess, in the case of Eclipse? - Although, with regards to Java, I wonder if this system would work at all, since I think the kernel never exactly 'sees' Java programs or classes as executables, but only the JRE, which already has all the system calls built into it?)
Re:What about plug-in based systems? (Score:5, Informative)
How does this thing deal with plug-in/add-on based systems like Firefox or Eclipse, where new capabilities get added to the executable through dlls (or java classes, I guess, in the case of Eclipse? - Although, with regards to Java, I wonder if this system would work at all, since I think the kernel never exactly 'sees' Java programs or classes as executables, but only the JRE, which already has all the system calls built into it?)
It's about servers here, I personally think one should really think thrice before installing plug-ins and add-ons on a server, and rather go browsing on a desktop machine. Regarding Java, I can see your point.
Parent
Re:selinux (Score:4, Informative)
Or the application has been legitimately updated to do new things...
Well that part is handled. The call map is made when the application is compiled, so new source equals new map. That's at least one advantage over SELinux, this is completely automatic and it's always correct in that sense. Though if you want to get this with precompiled binaries, you also have to get precompiled maps so the distros have to help you out - it's not something you can set up on existing binaries on your own.
Parent
Re:selinux (Score:5, Informative)
However, you've probably already spotted the major flaws with this approach: the first is that it only works on compiled programs, which strikes me as a serious problem when you're talking about webservers. The second is that it doesn't work on certain classes of programs whose execution pattern is extremely difficult to predict: self-modifying code, highly dynamic code (longjmp is not allowed), etc. Another limitation is that it only works on statically linked libraries. Finally, it is totally dependent on GCC and friends, which could be a problem for it moving forward, and in groups where the intel compiler is preferred.
As for false positives, the entire point of this is that inside of these admittedly limited confines, it has no possibility for false positives. This system is not statistical in nature. It depends entirely upon the program itself to determine correct syscall behavior.
All in all, while it is a long way from a practical security model, it does offer the promise of powerful, accurate protection from certain classes of attacks. When combined with selinux and pcap on a system with a slim attack profile it could help to narrow the gap between being a zero-day compromise and having full protection.
Parent
Re: (Score:2)
On the other hand, it's strong where selinux is strong(the applcations etc.. are well known... and the context restricted. While I had hope for an approach that required a kernel mod to work, to actually be able to secure that open moat of computing ... the shared hosting server...
Seems all the work is going in applications server, where the hardware is dedicated and the resources are already plenty... And almost no work is going into securing the already at risk segments... (Think the resold cpanel serv
Re: (Score:3, Informative)
Heuristic scanning v2.0? (Score:2)
I could be wrong but this sounds like the heuristic scanning features that has been in Norton Antivirus and other A/V utilities for almost a decade now, where it searches for out of the norm items and reports or blocks them, such as a program deciding to write to the MBR, or a program using raw disk I/O to write to the hard disk.
Re:Heuristic scanning v2.0? (Score:5, Interesting)
Wow, those "heuristics" sound like a simple blacklist of "virus-like" activities.
No, what this does is cleverer. It creates (at compile time) an automaton representing the system call activity of the program, and if the program tries to make a syscall that does not have a matching edge in the automaton, it kills it. Basically, if there is not a code path that should lead to execution of a certain syscall, the program gets killed.
Parent
Just trying to understand (Score:2)
It creates (at compile time) an automaton representing the system call activity of the program
At compile time of the program? So in addition to a modified kernel you need a modified gcc and to compile everything from source or have a specialised distro? It doesn't surprise me that the summary should be lacking such details, but it would be nice if for once it gave a decent overview.
Re:Just trying to understand (Score:5, Informative)
It creates (at compile time) an automaton representing the system call activity of the program
At compile time of the program? So in addition to a modified kernel you need a modified gcc and to compile everything from source or have a specialised distro? It doesn't surprise me that the summary should be lacking such details, but it would be nice if for once it gave a decent overview.
I agree that this was a poor summary but instead of complaining about the summary you could always do something crazy like read the article.
Parent
Re:Just trying to understand (Score:4, Informative)
I wonder if a fix for the buffer overflow (besides languages that make it harder) would be to separate the stacks used for local variables and return addresses.
The problem is that when a call is made to a function the compiler pushes the return address onto the stack. Then the function allocates space for its own variables on top of the same stack. If one of those variables overflows it can hit the return address. That essentially is a mixing of code and data. If you had two stacks then the processor could trigger an exception if anything writes to one of them except via a call or return. You could probably accomplish this via changes to the compiler without a processor change - the processor will always use the regular stack but a compiler could be designed to maintain a separate stack for local variables. You wouldn't have that read-only protection on the regular stack, but the two would be in different segments making an overflow impossible.
Other tricks that are used are things like canarys - values written onto the stack and then checked before a return - if there was an overflow the canary would not be intact. GCC has an option to do this which works most of the time.
Parent
Re: (Score:2)
It's more clever than that. Imagine a program always called select(), read(), and write() in that order. Through static analysis at compile time, you guarantee that's all the program should be doing. If you observe the program run select(), setfsid(), write(), it can't be running the code it was compiled with, and so it should be killed.
Oh great. (Score:5, Funny)
Doesn't our economy have enough problems? Do we really need to put Linux anti-virus vendors out of business? Next we'll probably drive the ice vendors in Alaska to bankruptcy!
Re:Oh great. (Score:5, Funny)
Parent
How it works (Score:4, Interesting)
From the papter: "The resulting model is an automaton that represents the legitimate order of system calls that an application may issue. This automaton is then enforced by Korset's monitoring agent, which is built into the Linux kernel, by simulating every emitted system call."
This is not likely to work for scriptable applications (Apache, Java-based servers, etc.) The order of calls is determined by the script, not the underlying executable.
Re: (Score:2)
From the paper: "The resulting model is an automaton that represents the legitimate order of system calls that an application may issue. This automaton is then enforced by Korset's monitoring agent, which is built into the Linux kernel, by simulating every emitted system call."
Why couldn't malware makers then just insure their programs emulate this profile?
Re: (Score:2)
No, because the whole point of malware is getting a program to do something other than what it's supposed to do, and the profile describes, well, what the program's supposed to do.
Re: (Score:2)
I see now is not a good time use the word insure around Americans!
On topic,
Why couldn't malware makers then just insure their programs emulate this profile?
They could but this
1) makes it a trickier to write the malware
2) limits the scope of damage the malware can do to what the program is doing (much like selinux)
Ummmm..... (Score:3, Informative)
....I thought that was the philosophy behind AppArmor (http://en.opensuse.org/Apparmor).
It's been deployed in SuSE products for years.
Re: (Score:2)
Also the BSD's have something similair I've heared (and forgot the same)
Re:Ummmm..... (Score:4, Informative)
....I thought that was the philosophy behind AppArmor (http://en.opensuse.org/Apparmor).
It's been deployed in SuSE products for years.
Apparmor seems to be a relatively sophisticated least-privilege system, i.e. the idea that if a BIND DNS server should never need to (for example) modify the routing table, then it also should not be able to modify the routing table. That way, if an attacker compromises said DNS server, he won't be able to do very much with it that isn't directly related to serving DNS requests (this is why I would personally refer to such a system as damage control, useful for containing/limiting an attacker who has already compromised something). The system discussed in the article is different in that it seems to be less concerned with what specific tasks a program should or should not be doing and more concerned with whether the code that is executed and the way that it is executed is what you would expect from the program's source. That way, if someone exploits i.e. a buffer overflow and inserts their own shellcode, it would deviate from the pattern that you would have expected from the exploited program and this deviation would be detected.
Both can be compared to systems like PaX [grsecurity.net] (kernel) and SSP [ibm.com] (userspace) which are intended to make sure that an attacker will fail to exploit an existing vulnerability, such as an unpatched buffer overflow, in the first place.
Parent
I'm definitely not an expert... (Score:5, Interesting)
Linux?? (Score:2, Informative)
I really don't think Linux has problems with malware. I think there is an other operating system having more trouble.
As far as I know virus scanners are used on servers mostly to check data that goes through it (example: email server); this data will however not be executed on the server.
Re: (Score:2)
I really don't think Linux has problems with malware. I think there is an other operating system having more trouble.
Maybe, but we still need to work hard to ensure that that is the case; why do you think that SELinux and stack randomisation have been developed ? Remember: pride becomes before a fall!
Re: (Score:2)
I really don't think Linux has problems with malware.
Yet.
Not a lot of /. readers seem to know this but (whispers) most modern Windows malware doesn't depend on the user having administrative privileges.
IOW, a program which, when executes, deletes all your documents then emails itself to all your friends can exist just as easily on Linux as it can on Windows. About the only thing preventing that right now is that nobody's got around to it and it would still require some effort on the users part because AFAIK no Linux mail client will perform file(1) on attach
Not a good article, but an interesting paper. (Score:5, Insightful)
OK, what this is doing is watching for code injection attacks (buffer overflows, stack smashing, etcetera) by building a model of how each specific application is going to operate, and blocking system calls that the model of the application would never make. It seems like an interesting approach, though it may not be as useful on Windows where there's not such a formal distinction between system calls and other kinds of calls.
It won't do anything about interpreter code injection (eg, SQL injection or shell code injection) or script privilege escalation attacks (eg, ActiveX and other "cross zone" attacks in Internet Explorer), or attacks that involve complete executable code drops.
Still, this is useful and not nearly as dodgy as the article made it sound.
Re: (Score:3, Informative)
if my exchange server is compromised and starts to serve webpages by binding to a port other than port 25, this method would catch it and kill the process in its tracks.
On the other hand, if your exchange server is compromised and starts shipping spam it won't do a damn thing to stop it. And if your exchange server is compromised and loads a DLL using its normal API for loading modules, then it can do anything that module will attack.
You application, which normally never spawns a procses while in a certain
how is this better than grsec or selinux? (Score:2)
Will fork bomb do work still? (Score:2, Interesting)
I might give it a spin (Score:3, Interesting)
Sounds like a good idea to me, I just want to see what the Linux kernel pros think of it...
Re: (Score:3, Interesting)
It's kind of like Vista (Score:4, Interesting)
Sounds from the summary at least (hey, it's slashdot, I haven't read the article) that it's similar in some ways to the service profiling in Vista. The service profiling means that the dev looked at what the service needed to do to be able to run and gave it only those permissions, restricting the damage it could do if it were compromised. This seems to extend that to give the kernel the intelligence to baseline the services itself, and then restrict activity when the baseline activity changes.
Tron (Score:3, Interesting)
Somehow, this technique reminds me of the (obviously rather simplistic) description of the functionality of the Tron program from the movie of the same name. From the script [imsdb.com]:
DILLINGER
[...]
What's the thing you're working on?
ALAN
It's called Tron. It's a security
program itself, actually. Monitors
all the contacts between our system
and other systems... If it finds
anything going on that's not scheduled,
it shuts it down. I sent you a memo
on it.
DILLINGER
Mmm. Part of the Master Control Program?
ALAN
No, it'll run independently.
It can watchdog the MCP as well.
As I understand it (Score:3, Insightful)
this isn't anything specifically to do with malware.
As far as I can see, this verifies that the binary currently running is the same binary that was compiled from a (trusted) source.
When you compile it, it knows (from the source) what the program will and won't do. If the program deviates from that, it dies (as it's been replaced by malware, presumably)
If I'm wrong, please correct me...
Re: (Score:2)
I think they want to prevent running programs that have had a some kind of overflow and there 'code rewritten' to be able to do things they were never intended to do. And by using source-code analysis this might be an easier way to construct a lot of a program is allowed to do.
Re: (Score:2, Insightful)
This is drivel - it assumes that a static binary analysis can be used to predict the dynamic behavior of a non-trivial application, with zero false positives.
Which is why I tagged this with "haltingproblem". If it's impossible to write a terminating program which simply determines whether or not another program terminates, just how likely is it that a program can correctly predict far more complex behavior of another program? Since the halting problem is noncomputabe, we know it can't do it with 100% rel
Re:Completely incorrect basic assumptions (Score:5, Interesting)
You're right. You can't exactly predict the behavior of a program without running it.
But that's not what this package is trying to do. Instead, it's trying to rule out large swaths of the behavior space of a program based on static analysis. Of course there will be false negatives -- i.e., malicious actions that remain undetected. But I don't really see how false positives would be a danger, modulo bugs in the static analyzer.
I imagine this package would be nearly useless for something like firefox, which does many varied tasks. But for programs like exim, or bind, or vsftp -- which do one task over and over again -- the degree of protection should be pretty good because there's a lot these programs don't do.
Parent
Re: (Score:2)
1. Linux has no viruses. Why would we need something like this?
Because Linux has vulnerabilities which can be (and have been in the past) used to take control of a system, and this is an attempt to fight that. All viruses are malware but not all malware are viruses.
2. If they're going to make a list of the behaviour of _every_ program, then that list would be HUGE, and take petabytes. A blacklist is a lot easier to make and keep up.
Unless I'm mistaken, this only needs a whitelist for the software installed on the system, so itwon't be that big and a whitelist is safer from a security point of view (uptime may be problematic, though, depending on the number of false positives).
3. This still wouldn't protect the weakest link: the user. If a virus asks the user :" Add IAmATrojan.exe to the whitelist ", a lot of people wouldn't do it. Heck, if you need even need a normal anti-virus, you're to stupid to work with computers.
Because this is primarily aimed at servers, and if someone w
Re: (Score:2)
You link to some random asshat (probably yourself) who links to a dead link. Nice try.
Sorry to blow your illusion, but that's just pathetic.
Re: (Score:2)
Uhhh... no. A monolithic kernel still uses a user space/kernel space separation. They're monitoring stuff that's happening in the user space by what system calls those userland applications make (to the kernel).
If you considered a Linux kernel to be an entire operating system, you wouldn't be able to get a whole lot done on your computer. Think system libraries etc.